Koobface
Koobface '''is a 'worm that affects the Microsoft Windows operating system and is known for targeting the social networking site ''Facebook to spread via infected wall posts. It was first documented in 2008, but Koobface was at the height of its operations in 2009 and 2010. While the name suggests that this family uses Facebook to spread, its variants were also known to use other social networking sites like Twitter and Myspace. It uses social engineering to get users to click on a link that appears to lead to a video. The video itself fake but is hosted on a site that imitates YouTube. The site then gets users to install a file to view the video, but the file is actually the malware. VBInject VBInject is a trojan that Koobface uses. It is for certain forms of obfuscated malware. The loader is written in Visual Basic and the malicious code is encrypted. The original file behaves as a loader for the encrypted malicious code, giving the code virtually any purpose. The Attack If a download is allowed, Koobface will run a local web server and an IRC server, allowing it to act as part of a botnet, DNS changer, and activate many other functions. These other functions could be from either installed from the initial download or other files that could be installed later. Variants Koobface.AV Upon execution, this worm sends an HTTP request to its C&C to download a file. It saves the downloaded file as %Current%\123.tmp, which contains a download link of a torrent file pointing to a Trojanized software. It then uses its dropped uTorrent client to silently download the referenced Trojanized software, leading to the download of several components. As of writing, the downloaded files are detected as follows: Note: These are aliases from Trend Micro *TROJ_SPAMMER.AA *WORM_KOOBFACE.AV *WORM_KOOBFACE.FE *WORM_KOOBFACE.FH *WORM_KOOBFACE.FI *WORM_KOOBFACE.FK *WORM_KOOBFACE.MJ *WORM_KOOBFACE.MM It then executes the downloaded files. As a result, malicious routines of downloaded files are exhibited on the system. This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Koobface.av may steal system information and user credentials, download other malware, and open a backdoor on the affected system. Some variants of this malware family have been linked to FAKEAV distributors. Newer variants employed traffic direction systems. Koobface.X This worm deletes itself after executing some files. *WORM_KOOBFACE.X(Trend Micro) Koobface.HQ This worm contains errors in its code. This stops it from performing its routines. *WORM_KOOBFACE.HQ(Trend Micro) JS/Koobface.H This is the javascript that Koobface uses. *JS_KOOBFACE.H(Trend Micro) *Worm/Koobface.H(AVG) Koobfa-Skype Koobfa-Skype is similar to some variants (the target application excluded), it is part of the Koobface malware family. Both the malicious code and it was a variant that was first to target Skype. Its author is unknown. *Worm/Koobfa-Skype(Virus Database) OSX/Koobface.A OSX/Koobface.A, a Mac version which spreads via social networks such as Facebook, MySpace, and Twitter. *Worm:OSX/Koobface.A(Microsoft) Koobface.DC This variant attacks Twitter. Koobfa-Gen This variant attacks: Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo, and fubar. *Net-Worm:W32/Koobface.gen(F-Protect) Other variants *Koobface.gen!F *Koobface.D Category:Social networking worm Category:Worm Category:Web worm Category:Win32 worm Category:Win32 Category:Microsoft Windows